MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 93b4057e7733498ff971cfe761815a8a81da63165cbc4aa1082debda9bcd55b5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Amadey

Vendor detections: 17

Intelligence 17 IOCs YARA 5 File information Comments

SHA256 hash:	93b4057e7733498ff971cfe761815a8a81da63165cbc4aa1082debda9bcd55b5
SHA3-384 hash:	8016beb2d5e70e7894de73e1a2c75a1ce614baf0abf3a7e52400a17da533d4fabd42f305685a4d209646d25c1836de1d
SHA1 hash:	2770766fd26307c9635d7e1c4b4b0027cc3e682f
MD5 hash:	536e560c189e4ea19cc2ff8838050598
humanhash:	thirteen-mockingbird-charlie-ohio
File name:	536e560c189e4ea19cc2ff8838050598.exe
Download:	download sample
Signature	Amadey Create hunting rule
File size:	905'216 bytes
First seen:	2023-05-11 15:35:29 UTC
Last seen:	2023-05-13 22:43:47 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep	24576:kyD8W9P2Mm33KxDq3ujUiZe3DRw5DR2Yi:zDT9Pjm32DJte3Fw5l2Y
Threatray	318 similar samples on MalwareBazaar
TLSH	T137152203EBD99A21D8FA27B104F702871F34BE964D32927E16825C890C73BD469767B7
TrID	70.4% (.CPL) Windows Control Panel Item (generic) (197083/11/60) 11.1% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 5.9% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 3.7% (.EXE) Win64 Executable (generic) (10523/12/4) 2.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):
dhash icon	f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter	abuse_ch
Tags:	Amadey exe

abuse_ch

Amadey C2:
185.161.248.75:4132

Intelligence

File Origin

# of uploads :

# of downloads :

266

Origin country :

Vendor Threat Intelligence

Malware family:

redline

ID:

File name:

536e560c189e4ea19cc2ff8838050598.exe

Verdict:

Malicious activity

Analysis date:

2023-05-11 15:37:17 UTC

Tags:

rat redline trojan amadey

Link:

https://app.any.run/tasks/345aa5bc-c6c9-4a17-b908-a5cad256bd2b

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/388424/

Detection(s):

Sanesecurity.Malware.28840.BadO.UNOFFICIAL

SecuriteInfo.com.Trojan.PWS.RedLineNET.6.30883.12673.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Launching a process

Launching cmd.exe command interpreter

Searching for the window

Creating a file in the %temp% subdirectories

Creating a process from a recently created file

Creating a process with a hidden window

Sending a custom TCP request

Using the Windows Management Instrumentation requests

Reading critical registry keys

Creating a file

Launching a service

Unauthorized injection to a recently created process

Sending a TCP request to an infection source

Stealing user critical data

Result

Malware family:

n/a

Score:

8/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/83520/overview

Behaviour

MalwareBazaar

MeasuringTime

SystemUptime

EvasionQueryPerformanceCounter

EvasionGetTickCount

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

advpack.dll amadey CAB comodo confuserex installer packed packed rundll32.exe setupapi.dll shell32.dll

Link:

https://www.filescan.io/uploads/645d0b654427eddb118c3039/reports/36875839-bf3a-485a-bf01-0fb8e59416a1/overview

Verdict:

Malicious

Labled as:

HEUR/AGEN.1310591

Link:

https://www.hybrid-analysis.com/sample/93b4057e7733498ff971cfe761815a8a81da63165cbc4aa1082debda9bcd55b5

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Deyma

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/b08107b2-0059-4361-b657-aea61312807e

Result

Threat name:

Amadey, RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1230889

Signature

.NET source code contains potential unpacker

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Disable Windows Defender notifications (registry)

Disable Windows Defender real time protection (registry)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Yara detected Amadeys stealer DLL

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/93b4057e7733498ff971cfe761815a8a81da63165cbc4aa1082debda9bcd55b5/

Threat name:

Win32.Trojan.RedLineStealer

Status:

Malicious

First seen:

2023-05-11 15:36:12 UTC

File Type:

PE (Exe)

Extracted files:

116

AV detection:

20 of 24 (83.33%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=so2ak7txgney76lrz7twdak2rka5uyywls6eviiifxv5vg6nkw2q._file

Verdict:

malicious

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:debro botnet:gogen discovery evasion infostealer persistence spyware stealer trojan

Link:

https://tria.ge/reports/230511-s1w6vagb2x/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Adds Run key to start application

Checks installed software on the system

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Windows security modification

Modifies Windows Defender Real-time Protection settings

RedLine

Malware Config

C2 Extraction:

185.161.248.75:4132

Unpacked files

SH256 hash:

389c88af69acdd1a6211f2a983b3e46fb7fd4212799293a803b9dfe340670f5f

MD5 hash:

81e86042bdb2e0504ef951fd977d5598

SHA1 hash:

f158153bbf3cc04e7343f92a1972730d4111844e

Link:

https://www.unpac.me/results/3846d89e-5285-4699-af2f-12f6a79366cd/

SH256 hash:

2550a5839ed554039001288580fccc4f12df05c94e42c9e22b302094ac93dc02

MD5 hash:

299c969f9550e1e4ec7cef95a5a9caeb

SHA1 hash:

b3119fd7abbb34ff11d0f8c0029933fc849ada46

Detections:

redline

Link:

https://www.unpac.me/results/3846d89e-5285-4699-af2f-12f6a79366cd/

Parent samples :

d11e02cc2ce31a34d48437992e2e96956b97e249960f2fd28479e8dbd329bbc1
32c7c9dd6ceb2fd8e565617f0e33615c72727f907ca62ffee1e30f6693d35d70
a574f5fe12dd99eb7c6ced297707327025363dc480d1d9b89474bb8ccebdf340
5e97cadd04a17da3f4f87af7b3ac747d3faac664c3588f5d212965294b8900d3
94e2aab4a036f8788be69af92be5568812541993f735732ec0f0d00dec17126b
bc16fbf93d80cbd51ecff034dce428809c082100d774eee10eceb04fb106a5ff
7a1e764ffbc42d4e9ce414e4f6deb4f44dbe39f2ea4d2ba7b48aaa480e1b4536
93b4057e7733498ff971cfe761815a8a81da63165cbc4aa1082debda9bcd55b5
2a21da802e26b2d828b38b3ce2fe3ffce5153e6c6a113f1a091ec874211bc890
f8cb70ff35016137f6ffac142ac61a36f47ee76fc792a865dd0f3c6625958ce8
db1c8fc3822511f7e804660ea93dfe82713dc79a1d9d80cc6bbf236e415d644f
4efd9345b81d93819658bf03353e8bb79e666682256eb551c77b7e9a9dd64a80
c0c1030bbba4126b51da03be33c6bc09da536259c029001f969b28d736f3e011
cef8ed0baea5977ec92a708285e67dc86c84b18a6eac72e53674d5b9d85f97e6
9095a896f5486e40ed6f168cc3feb1d6875ffc56e29a86143824b17632d7cc2d
ef0e0f3b397be2c91250868dfd86c94971df26403b3f146683b948d4856ac9a8
bd617ede15a79ede4ac461e6736f133a29ec6d7a79271992270286c2f881422a
c27f551766140e14a35f04c230ed09f28a4df423db1f53dba3bba5046c65bb11
c526ee0d3bec6aaa007be4cfe73e9983b2f429e425083cccfa41010da49cd28e
ce5638eb5fdce0a9882127a6e53553caf3066e1c342115793b42c61389328410
cf27f83a4262559d923a90c2736a92facc137c0843831111e5aab5c7f462f778
d7c3d5e8ae14b370ea237a3af36c68c84f3a291d2f610c47825b80226cfb8ef0
d7f818cdc0949b0698bdb7a1e6b557b2e53d803427d360630602504c30be2ce7
dc647409431a151cbc058716edef6ab85ec267022ed19ce3c971ac11b787321b
df66d72c3c6d6c70f4784e9c24b1af4a3cb07ff9135531903ec1f54b752db6b6
e91cd6f3491d050a5583a85a8a9a661523f373a00251fa4dbccda2c865e7cef9
eca9b94dedeac84fa594bc441da231d795e2bbe961909200cb200aae89857bb1
a36cb619fe3f534ed41d78ea59fdb44890578743adb77e5c217309499726c098

SH256 hash:

bec48a3c926d2029f31272e14327a4bbde6603efa29eda9d52066856a5940b8b

MD5 hash:

4c2984041c9d057394302d45d2e1ca4f

SHA1 hash:

0fee220d178a79ec857181f06cf1028212f2cdef

Link:

https://www.unpac.me/results/3846d89e-5285-4699-af2f-12f6a79366cd/

SH256 hash:

44180e2dd1b45d374c73d580aebbbb8f390f2c0f00765d138fb952300f68b0bc

MD5 hash:

14ab6de74614132db925ca1d6d628f76

SHA1 hash:

a05d4306a935bf09de0ab6025c7ab72d08925ef8

Detections:

Amadey

Link:

https://www.unpac.me/results/3846d89e-5285-4699-af2f-12f6a79366cd/

Parent samples :

2b4f06b5c00bfef8e1e83bfa46f822dedb09d05779d8171ff91d59994f9bca14
58a30e4769f449019d29b3458663cb51aced48cb23ae507e81c43afb5f8390e2
d11e02cc2ce31a34d48437992e2e96956b97e249960f2fd28479e8dbd329bbc1
32c7c9dd6ceb2fd8e565617f0e33615c72727f907ca62ffee1e30f6693d35d70
a574f5fe12dd99eb7c6ced297707327025363dc480d1d9b89474bb8ccebdf340
5e97cadd04a17da3f4f87af7b3ac747d3faac664c3588f5d212965294b8900d3
94e2aab4a036f8788be69af92be5568812541993f735732ec0f0d00dec17126b
bc16fbf93d80cbd51ecff034dce428809c082100d774eee10eceb04fb106a5ff
7a1e764ffbc42d4e9ce414e4f6deb4f44dbe39f2ea4d2ba7b48aaa480e1b4536
93b4057e7733498ff971cfe761815a8a81da63165cbc4aa1082debda9bcd55b5
2a21da802e26b2d828b38b3ce2fe3ffce5153e6c6a113f1a091ec874211bc890
f8cb70ff35016137f6ffac142ac61a36f47ee76fc792a865dd0f3c6625958ce8
4efd9345b81d93819658bf03353e8bb79e666682256eb551c77b7e9a9dd64a80
c0c1030bbba4126b51da03be33c6bc09da536259c029001f969b28d736f3e011
cef8ed0baea5977ec92a708285e67dc86c84b18a6eac72e53674d5b9d85f97e6
d44985104da589aa6bb697827e5130180990444cef20cc7e18a5fa9e1847495c
ef0e0f3b397be2c91250868dfd86c94971df26403b3f146683b948d4856ac9a8
bd617ede15a79ede4ac461e6736f133a29ec6d7a79271992270286c2f881422a
c27f551766140e14a35f04c230ed09f28a4df423db1f53dba3bba5046c65bb11
c526ee0d3bec6aaa007be4cfe73e9983b2f429e425083cccfa41010da49cd28e
ce5638eb5fdce0a9882127a6e53553caf3066e1c342115793b42c61389328410
cf27f83a4262559d923a90c2736a92facc137c0843831111e5aab5c7f462f778
d7c3d5e8ae14b370ea237a3af36c68c84f3a291d2f610c47825b80226cfb8ef0
d7f818cdc0949b0698bdb7a1e6b557b2e53d803427d360630602504c30be2ce7
dc647409431a151cbc058716edef6ab85ec267022ed19ce3c971ac11b787321b
df66d72c3c6d6c70f4784e9c24b1af4a3cb07ff9135531903ec1f54b752db6b6
e91cd6f3491d050a5583a85a8a9a661523f373a00251fa4dbccda2c865e7cef9
eca9b94dedeac84fa594bc441da231d795e2bbe961909200cb200aae89857bb1
a36cb619fe3f534ed41d78ea59fdb44890578743adb77e5c217309499726c098

SH256 hash:

bacb7d9e71887b70689ae9c86779b188a79eb1b9c8b81a5cd583cdbda1755003

MD5 hash:

1ae9975cfe3aa175cb084a1048be0789

SHA1 hash:

7803f4914bedcb2ac9ef3b08bcc57d98c6a16742

Link:

https://www.unpac.me/results/3846d89e-5285-4699-af2f-12f6a79366cd/

SH256 hash:

93b4057e7733498ff971cfe761815a8a81da63165cbc4aa1082debda9bcd55b5

MD5 hash:

536e560c189e4ea19cc2ff8838050598

SHA1 hash:

2770766fd26307c9635d7e1c4b4b0027cc3e682f

Link:

https://www.unpac.me/results/3846d89e-5285-4699-af2f-12f6a79366cd/

Malware family:

RedNet

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/93b4057e7733/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_EXE_Packed_ConfuserEx Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with ConfuserEx Mod

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

Rule name:	pe_imphash Create hunting rule

Rule name:	redline_stealer_1 Create hunting rule
Author:	Nikolaos 'n0t' Totosis
Description:	RedLine Stealer Payload

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Amadey

exe 93b4057e7733498ff971cfe761815a8a81da63165cbc4aa1082debda9bcd55b5

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/2627020/

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/388424/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample